1 / 36

Formal Methods for Software Engineering

Formal Methods for Software Engineering. Lecture , Part II: Liveness. Contents. Liveness Progress, fairness Single-lane bridge problem continued Congestion Readers-writers problem Locking. Liveness. A safety property asserts that nothing bad happens.

preston-mccoy
Download Presentation

Formal Methods for Software Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Methods for Software Engineering Lecture , Part II: Liveness

  2. Contents • Liveness Progress, fairness • Single-lane bridge problem continued Congestion • Readers-writers problem Locking FMSE, Lecture 7

  3. Liveness A safety property asserts that nothingbad happens. A liveness property asserts that somethinggoodeventually happens. Single Lane Bridge: Does every car eventually get an opportunity to cross the bridge? A progress property asserts that it is always the case that an action is eventually executed. Progress is the opposite of starvation, the name given to a concurrent programming situation in which an action is never executed. FMSE, Lecture 7

  4. COIN =(toss->heads->COIN |toss->tails->COIN). If a coin were tossed an infinite number of times, we would expect that heads would be chosen infinitely often and that tails would be chosen infinitely often. This requires Fair Choice ! toss toss 0 1 2 heads tails Fair Choice • Fair Choice: If a choice over a set of transitions is executed infinitely often, then every transition in the set will be executed infinitely often. FMSE, Lecture 7

  5. COIN system: progress HEADS = {heads}? progress TAILS = {tails}? Progress Properties • progress P = {a1,a2,..,an} defines a progress propertyPwhich asserts that in an infinite execution of a target system, at least one of the actionsa1,a2,..,anwill be executed infinitely often. No progress violations detected. LTSA check progress: FMSE, Lecture 7

  6. Suppose that there were two possible coins that could be picked up: pick toss pick toss toss atrickcoinandaregularcoin…… 0 1 2 3 4 5 heads tails heads TWOCOIN: progress HEADS = {heads}? progress TAILS = {tails}? Progress Properties TWOCOIN = (pick->COIN|pick->TRICK), TRICK = (toss->heads->TRICK), COIN = (toss->heads->COIN|toss->tails->COIN). FMSE, Lecture 7

  7. pick toss progress HEADS = {heads} progress TAILS = {tails} LTSA check progress pick toss toss 0 1 2 3 4 5 heads tails heads Progress violation: TAILS Path to terminal set of states: pick Actions in terminal set: {toss, heads} Progress Properties progress HEADSorTails = {heads,tails}? FMSE, Lecture 7

  8. pick Terminal sets for TWOCOIN: {1,2} and {3,4,5} toss pick toss toss 0 1 2 3 4 5 heads tails heads Progress Analysis A terminal set of states is one in which every state is reachable from every other state in the set via one or more transitions, and there is no transition from within the set to any state outside the set. Given fair choice, each terminal set represents an execution in which each action used in a transition in the set is executed infinitely often. Since there is no transition out of a terminal set, any action that is not used in the set cannot occur infinitely often in all executions of the system - and hence represents a potential progress violation! FMSE, Lecture 7

  9. pick progress TAILS = {tails} in {1,2} toss pick toss toss 0 1 2 3 4 5 heads tails heads Default analysis for TWOCOIN? Progress Analysis A progress property is violated if analysis finds a terminal set of states in which none of the progress set actions appear. Default: given fair choice, for every action in the alphabet of the target system, that action will be executed infinitely often. This is equivalent to specifying a separate progress property for every action. FMSE, Lecture 7

  10. pick toss pick toss toss 0 1 2 3 4 5 tails heads heads Progress Analysis Default analysis for TWOCOIN: separate progress property for every action. Progress violation for actions: {pick} Path to terminal set of states: pick Actions in terminal set: {toss, heads, tails} Progress violation for actions: {pick, tails} Path to terminal set of states: pick Actions in terminal set: {toss, heads} If the default holds, then every other progress property holds i.e. every action is executed infinitely often and each terminal set has all actions in it. FMSE, Lecture 7

  11. The Single Lane Bridge implementation can permit progress violations. However, if default progress analysis is applied to the model then no violations are detected! Why not? progress BLUECROSS = {blue[ID].enter} progress REDCROSS = {red[ID].enter} No progress violations detected. Fair choice means that eventually every possible execution occurs, including those in which cars do not starve. To detect progress problems we must superimpose some scheduling policy for actions, which models the situation in which the bridge is congested. Progress - Single Lane Bridge FMSE, Lecture 7

  12. ||C = (P||Q)<<{a1,…,an}specifies a composition in which the actionsa1,..,anhavehigherpriority than any other action in the alphabet ofP||Qincluding the silent actiontau.In any choice in this system which has one or more of the actionsa1,..,anlabeling a transition, the transitions labeled with lower priority actions arediscarded. HighPriority<< ||C = (P||Q)>>{a1,…,an}specifies a composition in which the actionsa1,..,anhave lowerpriority than any other action in the alphabet ofP||Qincluding the silent actiontau.In any choice in this system which has one or more transitions not labeled bya1,..,an,the transitions labeled bya1,..,anarediscarded. LowPriority>> Progress - Action Priority Action priority expressions describe scheduling properties: FMSE, Lecture 7

  13. sleep NORMAL =(work->play->NORMAL |sleep->play->NORMAL). work 0 1 2 play play work ||HIGH =(NORMAL)<<{work}. 0 1 play sleep ||LOW =(NORMAL)>>{work}. 0 1 play Progress - Action Priority Action priority simplifies the resulting LTS by discarding lower priority actions from choices. FMSE, Lecture 7

  14. progress BLUECROSS = {blue[ID].enter} progress REDCROSS = {red[ID].enter} BLUECROSS- eventually one of thebluecars will be able to enter REDCROSS- eventually one of theredcars will be able to enter Congested Single Lane Bridge • Congestion using action priority? • Could give red cars priority over blue (or vice versa) ? • In practice neither has priority over the other. • Instead we merely encourage congestion by • lowering the priority of the exit actions of • both cars from the bridge. Progress Analysis ? LTS? ||CongestedBridge =(SingleLaneBridge) >>{red[ID].exit,blue[ID].exit}. FMSE, Lecture 7

  15. Progress Analysis Progress violation: BLUECROSS Path to terminal set of states: red.1.enter red.2.enter Actions in terminal set: {red.1.enter, red.1.exit, red.2.enter, red.2.exit, red.3.enter, red.3.exit} Progress violation: REDCROSS Path to terminal set of states: blue.1.enter blue.2.enter Actions in terminal set: {blue.1.enter, blue.1.exit, blue.2.enter, blue.2.exit, blue.3.enter, blue.3.exit} This corresponds with the observation that, withmore than one car, it is possible that whichever colour car enters the bridge first will continuously occupy the bridge preventing the other colour from ever crossing. FMSE, Lecture 7

  16. red.1.enter blue.1.enter blue.2.enter blue.1.exit blue.1.enter red.2.enter red.1.exit red.1.enter 0 1 2 3 4 5 6 7 8 blue.2.exit red.2.exit ||CongestedBridge = (SingleLaneBridge)>>{red[ID].exit,blue[ID].exit}. Progress Analysis Will the results be the same if we model congestion by giving car entry to the bridge high priority? Can congestion occur if there is only one car moving in each direction? FMSE, Lecture 7

  17. The bridge needs to know whether or not cars are waiting to cross. To model this cars request entering the bridge. CAR = (request->enter->exit->CAR). Revised Single Lane Bridge • Modify BRIDGE: • Redcars are only allowed to enter the bridge if there are nobluecars on the bridgeandthere areno blue cars waiting to enter the bridge. • Bluecars are only allowed to enter the bridge if there are noredcars on the bridgeandthere areno red cars waitingto enter the bridge. FMSE, Lecture 7

  18. Revised Single Lane Bridge /*nr– number of red cars on the bridgewr–number of red cars waiting to enter nb– number of blue cars on the bridgewb–number of blue cars waiting to enter */ BRIDGE = BRIDGE[0][0][0][0], BRIDGE[nr:T][nb:T][wr:T][wb:T] = (red[ID].request-> BRIDGE[nr][nb][wr+1][wb] |when (nb==0 &&wb==0) red[ID].enter-> BRIDGE[nr+1][nb][wr-1][wb] |red[ID].exit-> BRIDGE[nr-1][nb][wr][wb] |blue[ID].request -> BRIDGE[nr][nb][wr][wb+1] |when (nr==0 &&wr==0) blue[ID].enter-> BRIDGE[nr][nb+1][wr][wb-1] |blue[ID].exit-> BRIDGE[nr][nb-1][wr][wb] ). OK now? FMSE, Lecture 7

  19. Trace to DEADLOCK: • red.1.request • red.2.request • red.3.request • blue.1.request • blue.2.request • blue.3.request The trace is the scenario in which there are cars waiting at both ends, and consequently, the bridge does not allow either red or blue cars to enter. Analysis of Revised Model Solution? Introduce some asymmetry in the problem (cf. Dining philosophers). This takes the form of a boolean variable (bt) which breaks the deadlock by indicating whether it is the turn of blue cars or red cars to enter the bridge. Arbitrarily set bt to true initially giving blue initial precedence. FMSE, Lecture 7

  20. Analysis ? 2nd Model Revision const True = 1 const False = 0 range B = False..True /*bt -trueindicatesblueturn,falseindicatesredturn */ BRIDGE = BRIDGE[0][0][0][0][True], BRIDGE[nr:T][nb:T][wr:T][wb:T][bt:B] = (red[ID].request-> BRIDGE[nr][nb][wr+1][wb][bt] |when (nb==0 && (wb==0||!bt)) red[ID].enter-> BRIDGE[nr+1][nb][wr-1][wb][bt] |red[ID].exit-> BRIDGE[nr-1][nb][wr][wb][True] |blue[ID].request-> BRIDGE[nr][nb][wr][wb+1][bt] |when (nr==0 && (wr==0||bt)) blue[ID].enter-> BRIDGE[nr][nb+1][wr][wb-1][bt] |blue[ID].exit-> BRIDGE[nr][nb-1][wr][wb][False] ). FMSE, Lecture 7

  21. Readers and Writers A shared database is accessed by two kinds of processes. Readers execute transactions that examine the database while Writers both examine and update the database. A Writer must have exclusive access to the database; any number of Readers may concurrently access it. FMSE, Lecture 7

  22. Readers/writers Model • Events or actions of interest? acquireRead, releaseRead, acquireWrite, releaseWrite • Identify processes. Readers, Writers & the RW_Lock • Identify properties. RW_Safe RW_Progress • Define each process and interactions (structure). FMSE, Lecture 7

  23. Readers-writers Model set Actions = {acquireRead,releaseRead,acquireWrite,releaseWrite} READER =(acquireRead->examine->releaseRead->READER) + Actions \ {examine}. WRITER = (acquireWrite->modify->releaseWrite->WRITER) + Actions \ {modify}. Alphabet extension is used to ensure that the other access actions cannot occur freely for any prefixed instance of the process (as before). Action hiding is used as actions examine and modify are not relevant for access synchronisation. FMSE, Lecture 7

  24. Readers/writers Lock const False = 0 const True = 1 range Bool = False..True const Nread = 2// Maximum readers const Nwrite= 2// Maximum writers RW_LOCK = RW[0][False], RW[readers:0..Nread][writing:Bool] = (when (!writing) acquireRead -> RW[readers+1][writing] |releaseRead -> RW[readers-1][writing] |when (readers==0&&!writing) acquireWrite -> RW[readers][True] |releaseWrite -> RW[readers][False] ). The lock maintains a count of the number of readers, and a Boolean for the writers. FMSE, Lecture 7

  25. We can check that RW_LOCK satisfies the safety property…… ||READWRITELOCK = (RW_LOCK || SAFE_RW). Safety Property property SAFE_RW = (acquireRead -> READING[1] |acquireWrite-> WRITING ), READING[i:1..Nread] = (acquireRead -> READING[i+1] |when(i>1) releaseRead-> READING[i-1] |when(i==1)releaseRead-> SAFE_RW ), WRITING = (releaseWrite-> SAFE_RW). Safety Analysis ? LTS? FMSE, Lecture 7

  26. An ERROR occurs if a reader or writer is badly behaved (release before acquire or more than two readers). We can now compose the READWRITELOCK with READER and WRITER processes according to our structure… … acquireRead acquireWrite acquireRead -1 0 1 2 3 releaseRead releaseWrite releaseRead releaseWrite releaseRead releaseRead releaseWrite acquireRead releaseWrite Read-write Lock ||READERS_WRITERS = (reader[1..Nread] :READER || writer[1..Nwrite]:WRITER ||{reader[1..Nread], writer[1..Nwrite]}::READWRITELOCK). Safety and Progress Analysis ? FMSE, Lecture 7

  27. progress WRITE = {writer[1..Nwrite].acquireWrite} progress READ = {reader[1..Nread].acquireRead} WRITE- eventually one of thewriterswill acquireWrite READ- eventually one of thereaderswill acquireRead Progress Analysis • Adverse conditions using action priority? • we lower the priority of the release actions for both readers and writers. ||RW_PROGRESS = READERS_WRITERS >>{reader[1..Nread].releaseRead, writer[1..Nread].releaseWrite}. Progress Analysis ? LTS? FMSE, Lecture 7

  28. Try the Applet! reader.1.acquireRead reader.2.acquireRead writer.1.acquireWrite writer.2.acquireWrite reader.1.acquireRead reader.2.releaseRead 0 1 2 3 4 5 writer.2.releaseWrite reader.1.releaseRead reader.2.acquireRead writer.1.releaseWrite Progress Analysis Writer starvation: The number of readers never drops to zero. Progress violation: WRITE Path to terminal set of states: reader.1.acquireRead Actions in terminal set: {reader.1.acquireRead, reader.1.releaseRead, reader.2.acquireRead, reader.2.releaseRead} FMSE, Lecture 7

  29. Implementation –MonitorInterface We concentrate on the monitor implementation: interface ReadWrite { public void acquireRead() throws InterruptedException; public void releaseRead(); public void acquireWrite() throws InterruptedException; public void releaseWrite(); } We define an interface that identifies the monitor methods that must be implemented, and develop a number of alternative implementations of this interface. Firstly, the safe READWRITELOCK. FMSE, Lecture 7

  30. Implementation - ReadWriteSafe class ReadWriteSafe implements ReadWrite { private int readers =0; private boolean writing = false; publicsynchronized void acquireRead() throws InterruptedException { while (writing) wait(); ++readers; } publicsynchronized void releaseRead() { --readers; if(readers==0) notify(); } Unblock asinglewriterwhen no more readers. FMSE, Lecture 7

  31. Implementation - ReadWriteSafe publicsynchronized void acquireWrite() throws InterruptedException { while (readers>0 || writing) wait(); writing = true; } publicsynchronized void releaseWrite() { writing = false; notifyAll(); } } Unblockallreaders However, this monitor implementation suffers from the WRITE progress problem: possible writer starvationif the number of readers never drops to zero. Solution? FMSE, Lecture 7

  32. Strategy: Block readers if there is a writer waiting. Writer Priority set Actions = {acquireRead,releaseRead,acquireWrite, releaseWrite,requestWrite} WRITER =(requestWrite->acquireWrite->modify ->releaseWrite->WRITER )+Actions\{modify}. FMSE, Lecture 7

  33. Model - Writer Priority RW_LOCK = RW[0][False][0], RW[readers:0..Nread][writing:Bool][waitingW:0..Nwrite] = (when (!writing &&waitingW==0) acquireRead -> RW[readers+1][writing][waitingW] |releaseRead -> RW[readers-1][writing][waitingW] |when (readers==0 && !writing) acquireWrite-> RW[readers][True][waitingW-1] |releaseWrite-> RW[readers][False][waitingW] |requestWrite-> RW[readers][writing][waitingW+1] ). Safety and Progress Analysis ? FMSE, Lecture 7

  34. Analysis - Writer Priority No deadlocks/errors property RW_SAFE: progress READ and WRITE: Readerstarvation: if always awriterwaiting. Progress violation: READ Path to terminal set of states: writer.1.requestWrite writer.2.requestWrite Actions in terminal set: {writer.1.requestWrite, writer.1.acquireWrite, writer.1.releaseWrite, writer.2.requestWrite, writer.2.acquireWrite, writer.2.releaseWrite} In practice, this may be satisfactory as is usually more read access than write, and readers generally want the most up to date information. FMSE, Lecture 7

  35. Implementation - ReadWritePriority class ReadWritePriority implements ReadWrite{ private int readers =0; private boolean writing = false; private int waitingW = 0; // no of waiting Writers. public synchronized void acquireRead() throws InterruptedException { while (writing || waitingW>0) wait(); ++readers; } public synchronized void releaseRead() { --readers; if (readers==0) notify(); } FMSE, Lecture 7

  36. Implementation - ReadWritePriority synchronizedpublic void acquireWrite() { ++waitingW; while (readers>0 || writing) try{ wait();} catch(InterruptedException e){} --waitingW; writing = true; } synchronizedpublic void releaseWrite() { writing = false; notifyAll(); } } Both READ and WRITE progress properties can be satisfied by introducing a turn variable . FMSE, Lecture 7

More Related